Insight HIPAA Penalties Now Mandatory for Willful Neglect
As of February 18, 2011, the OCR is required to impose penalties ranging from $10,000 to more than $50,000 for HIPAA violations caused by a covered entity’s or business associate’s willful neglect. Last month, the OCR imposed its first penalty under the new standard: a $4.3 million dollar fine against a Maryland health center.
HIPAA Penalties. As discussed in our past Client Updates, the federal HITECH Act dramatically increased penalties for HIPAA violations. The following chart summarizes the structure under the new enforcement rules:
Conduct |
Penalty per violation |
Penalty per identical type of violation per calendar year |
Covered entity did not know and, by exercising reasonable diligence, would not have known of the violation | $100 to $50,000
No penalty if corrected within 30 days. OCR may waive or reduce penalties |
Up to $1,500,000 |
Violation due to reasonable cause and not willful neglect | $1,000 to $50,000
No penalty if corrected within 30 days. OCR may waive or reduce penalties |
Up to $1,500,000 |
Violation due to willful neglect but the violation is corrected within 30 days after the covered entity knew, or by exercising reasonable diligence, would have known that the violation occurred. | $10,000 to $50,000
Penalties mandatory effective 2/18/11 |
Up to $1,500,000 |
Violation due to willful neglect but the violation was not corrected within 30 days after the covered entity knew, or by exercising reasonable diligence, would have known that the violation occurred | At least $50,000
Penalties mandatory effective 2/18/11 |
Up to $1,500,000 |
(45 CFR § 160.400 et seq.).
Bad News: Mandatory Penalties Imposed for Willful Neglect. As reflected in the chart, violations due to willful neglect now carry a mandatory penalty ranging from $10,000 to at least $50,000. “Willful neglect” means the “conscious, intentional failure or reckless indifference to the obligation to comply with [HIPAA]…” (45 CFR 164.401). On February 4, 2011, HHS fined Cignet Health Center $4.3 million for HIPAA violations. Interestingly, the penalty did not relate to any breach of privacy; instead, Cignet was fined $1.3 million for failing to timely respond to 41 patients’ requests to access their health information, and $3 million for refusing to cooperate with the OCR’s investigation. The penalties confirm that HHS is serious about enforcing all aspects of HIPAA, not just the privacy provisions. It also sends a clear warning to those who do not take OCR investigations seriously.
Good News: May Avoid Penalties if No Willful Neglect. The good news is that the mandatory penalties are reserved for only those violations that involve willful neglect; for other violations, covered entities and business associates may avoid penalties altogether if they correct the situation within 30 days. Even if they fail to correct the situation, the OCR may waive or reduce penalties if it determines that the penalties in a given case would be excessive. Covered entities and business associates should take appropriate action to ensure that they are not deemed to act with willful neglect. Among others, entities should:
- Implement the written policies that are required by HIPAA as set forth in 45 CFR part 164, including those dealing with use and disclosure rules, electronic security, patient rights, breach notification, and administrative requirements.
- Train employees and other workforce members concerning the policies, and document the training.
- Immediately address and correct any potential HIPAA violation and document such actions, including the imposition of sanctions against those who violated HIPAA.
- If required, notify patients and HHS of privacy breaches.
- Cooperate with the OCR during any investigation.
Taking such actions should protect covered entities from a finding of “willful neglect” and the mandatory penalties that may otherwise follow.
If you have questions about these or other legal issues, please contact a member of our Health Law group call 208.344.6000.